main.yml

name: Build

on:
  push:
    branches: ['**']
  workflow_dispatch:

jobs:
  snyk_scan_deps_licences:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'wallet-sdk'
          step_name: 'snyk-scan-deps-licenses'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Run Snyk to check for deps vulnerabilities
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

  snyk_scan_code:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'wallet-sdk'
          step_name: 'snyk-scan-code'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Run Snyk to check for code vulnerabilities
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
          command: code test

  snyk_sbom:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'wallet-sdk'
          step_name: 'snyk-sbom'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
          command: sbom

  test_and_lint:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '18.x'

      - name: Install dependencies
        run: npm ci

      - name: Running lint
        run: npm run lint

      - name: Running tests
        run: npm run test

      - name: Build
        run: npm run build

      - name: Prepare artifact
        run: rm -rf node_modules e2e lib sandbox

      - uses: actions/upload-artifact@v3
        with:
          name: wallet-sdk.${{ github.sha }}
          path: .

  snyk_monitor:
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
    needs:
      - test_and_lint
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-monitor'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Enable Snyk online monitoring to check for vulnerabilities
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
          command: monitor